A couple of real life examples: Our employee self service portal is open to the internet, as the business sided on the side of convenience over security. While this allows you to check time off and put in for sick days, it also allows you access to your W-2's and allows you to update your direct deposit settings.

We have a company with over 40,000 users. Phishers were able to get around 1000 people to reply with email creds, out of that number, they were able to change about 200 users bank routing info to a bank account in India. They were even nice enough to change the info back after payday!

Second: A hacker has access to a CFO's email and schedule. Knowing when he's at a conference, emails his assistant or senior person: "I need X amount transferred to this vendor immediately before they discontinue service! I'm at the conference all week and in meetings all day, so please don't call me, and take care of this. See you on Monday!"

Both are real world things I've seen. Just info for anyone saying that no one falls for this, or they are stupid, ect.

Hard to believe that anyone with corporate financial authority would fall for this. A sucker born every minute, I guess.

It's pretty straightforward stuff. These scammers don't just send an email claiming to be a Prince and asking for millions of dollars, or something similarly fraudulent on its face.

Instead, they do their best to emulate what would be typical behavior that will pass a cursory inspection, such as sending the sort of email you'd expect to receive. For instance, they'll pretend to be a worker at another company that has an existing relationship, like supplier or customer. They'll send something that seems routine, like an update to account information, or a request to resend a payment that "didn't go through."

It's classic social engineering, and it's all about making it believable enough to catch enough people.

A couple of real life examples: Our employee self service portal is open to the internet, as the business sided on the side of convenience over security. While this allows you to check time off and put in for sick days, it also allows you access to your W-2's and allows you to update your direct deposit settings.

We have a company with over 40,000 users. Phishers were able to get around 1000 people to reply with email creds, out of that number, they were able to change about 200 users bank routing info to a bank account in India. They were even nice enough to change the info back after payday!

Second: A hacker has access to a CFO's email and schedule. Knowing when he's at a conference, emails his assistant or senior person: "I need X amount transferred to this vendor immediately before they discontinue service! I'm at the conference all week and in meetings all day, so please don't call me, and take care of this. See you on Monday!"

Both are real world things I've seen. Just info for anyone saying that no one falls for this, or they are stupid, ect.

And I would bet a lot of these companies are smaller, where CFOs or CEOs are more likely to operate informally, because everybody at the company knows everybody else and they're not "mature" enough to have strict controls (and, if they're privately held, SOX restrictions on how funds are handled don't apply).

Hard to believe that anyone with corporate financial authority would fall for this. A sucker born every minute, I guess.

Outlook and Gmail make is pretty easy to spoof whe you do t plainly see the senders email address, and even then a "close enough" appearing address is easy to make.

Our corporate IT department recently added a big red "warning: this message originated outside of our office" banner to the top of every email we receive from the outside world to deal with precisely this issue. They decided to do that after some employees got burned by phishing and after a lot of mandatory company-wide training and even test phishing campaigns demonstrated how employees kept falling for things.

I imagine people who trivialize these kinds of schemes (i.e. so stupid and obvious only dummies would fall for them) are probably more prone to falling victim next time around than those who take lessons to heart (i.e. maybe obvious schemes but still I better be more careful going forward)??

Surprisingly not. Wire transfers have none of the protections an EFT or check have. What normally happens is that people set up an offshore wire account to trick people into sending money to, and they move the money out of that account the instant the money gets dumped in.

Surprisingly not. Wire transfers have none of the protections an EFT or check have. What normally happens is that people set up an offshore wire account to trick people into sending money to, and they move the money out of that account the instant the money gets dumped in.

From the report they also use (possibly unwitting) proxies dubbed "money mules" to help divide and bounce the founds making it harder to trace.

Quote:

Money mules may be witting or unwitting accomplices who receive ill-gotten funds from the victims and then transfer the funds as directed by the fraudsters. The money is wired or sent by check to the money mule who then deposits it in his or her own bank account. Usually the mules keep a fraction for “their trouble” and then wire the money as directed by the fraudster. The fraudsters enlist and manipulate the money mules through romance scams or “work-at-home” scams.[...] These money mules were employed by the fraudsters to launder their ill-gotten gains by draining the funds into other accounts that are difficult to trace.

Hehe, that's $14M out of $28M that was wired out. We heard about this case from the local FBI field office 2 years ago when they came in to do a anti-phishing talk to our employees. How someone could rise to the point where they are in control of an account that can perform a $28M wire transfer without dual authentication and still be naive enough to fall for 411 scammers I have zero clue.

On a related note, a friend told me about a secretary that bought several thousand dollars of Amazon gift cards and sent them electronically to a 'customer' who her boss was 'working with', only stopping after they asked for nearly double the amount. How the heck do you think that a legitimate business partner is going to contact you over email asking for Amazon gift cards?!?

A couple of real life examples: Our employee self service portal is open to the internet, as the business sided on the side of convenience over security. While this allows you to check time off and put in for sick days, it also allows you access to your W-2's and allows you to update your direct deposit settings.

We have a company with over 40,000 users. Phishers were able to get around 1000 people to reply with email creds, out of that number, they were able to change about 200 users bank routing info to a bank account in India. They were even nice enough to change the info back after payday!

Second: A hacker has access to a CFO's email and schedule. Knowing when he's at a conference, emails his assistant or senior person: "I need X amount transferred to this vendor immediately before they discontinue service! I'm at the conference all week and in meetings all day, so please don't call me, and take care of this. See you on Monday!"

Both are real world things I've seen. Just info for anyone saying that no one falls for this, or they are stupid, ect.

Several attempts in my company from just this type of approach. Good enough effort (in terms of looking real - and timing it just like you describe) that the CFO and CEO both contacted me to verify the request came from me. We are a pretty informal shop, but fortunately they knew I would not fire off an email to wire money to someone new without us discussing it - so they checked.

These are a newer type email than your typical 411 multi-billion sum letters. Also more advanced phishing than before. They need to do some research of the victims and also try to keep sums below what individuals would need to get a large authorisation for. It is commonly the economics department or similar who typically are targeted. They who handle the transactions on behalf of management. I have seen in typical letters where they try to put some pressure because of urgent payments etc. Often cited as reason for doing thing not as per an official procedure.

Hard to believe that anyone with corporate financial authority would fall for this. A sucker born every minute, I guess.

That was my first thought. I worked in purchasing for a company that did about $50m in revenue, so big but not giant, and routinely had to deal with accounting to get paperwork done right to get bills paid. They wouldn't send out a dime unless they had everything in order.

But my guess is that they were targeting smaller businesses that may not have had more lax accounting procedures and record keeping.

Jokes aside, these are some serious issues, and they aren't your standard Nigerian "you could have $20 million!" deposit tricks. The bad guys hack into email servers, phone systems, monitor traffic, and learn the company from the inside out. Without sharing too many details, I know someone in finance who has been targeted twice by credible emails seeming to come from C-level execs at her work. Only because of a minor miracle did they not end up wiring large amounts of money into fraudulent accounts. So whatever work the FBI did to bring these guys to justice sounds like work well done.

convincing employees with access to a company’s financial credentials to transfer money fraudulently.

Quote:

Fraudsters can rob people of their life's savings in a matter of minutes

Scamming companies out of money is just as awful as conning old people out of their life savings. Stay classy, Jeff.

To this posters benefit, I was going to point out the fact that scamming people out of life savings and wire transfer fraud against corporations are two very different things. Both are theft, but one is far more morally repugnant to me. AG sessions conflating the two seems intended to cause more emotional impact - even though it is not related to protecting corporations from fraud in the slightest, and not what these people were arrested for.

And I would bet a lot of these companies are smaller, where CFOs or CEOs are more likely to operate informally, because everybody at the company knows everybody else and they're not "mature" enough to have strict controls (and, if they're privately held, SOX restrictions on how funds are handled don't apply).

But small also has the advantage. There's no chance one of these schemes would have worked at the 25 person company I once worked at, because the comptroller knew everything that was going on, and more or less knew the CEO's whereabouts at all time. A strange email request to transfer a large sum of money to an unknown place, with a message saying "don't try to confirm this, I'm doing XYZ and can't be reached" would have elicited -- laughter.

I would think a medium sized -- couple hundred person company, would be the best target.

Also, we implemented SPF quite a while ago, to prevent spoofing emails from our own domain.

Hard to believe that anyone with corporate financial authority would fall for this. A sucker born every minute, I guess.

Outlook and Gmail make is pretty easy to spoof whe you do t plainly see the senders email address, and even then a "close enough" appearing address is easy to make.

Our corporate IT department recently added a big red "warning: this message originated outside of our office" banner to the top of every email we receive from the outside world to deal with precisely this issue. They decided to do that after some employees got burned by phishing and after a lot of mandatory company-wide training and even test phishing campaigns demonstrated how employees kept falling for things.

Monthly, my organization will run an internal-only phishing campaign for employee training purposes and you'd be surprised at the overall percentile that fall for the bait. Each e-mail contains one or more "red-flags" for employees to look for (and raise awareness about), and even with some occasionally obvious flags, it will still catch people off-guard.

Training and awareness is key to staying ahead of this curve. Even then, you must remain extremely vigilant and employ additional avenues of protection when and where available. It is a never ending game of cat-and-mouse.

Surprisingly not. Wire transfers have none of the protections an EFT or check have. What normally happens is that people set up an offshore wire account to trick people into sending money to, and they move the money out of that account the instant the money gets dumped in.

The job of the wire transfer department of a bank is to make sure the funds exist, and are transferred properly according to instructions. They really aren't in the fraud detection and enforcement business. They handle huge sums routinely, and I doubt a "small" one million dollar transfer raises an eyebrow.